TCPDUMP for mortals

This document describes methods to give normal users access to the
Berkeley Packet Filter (bpf) devices without giving them root-access or
making these programs setuid-root.

Note: it has come to my attention that Linux doesn't have a bpf-device,
the access to it is restricted deep in the kernel close to the
SOCKET_RAW code. So far for the "everything is a file" policy.

Problem

In the networking-group I was working in, we had a couple of server
unix-machines and portable unix-machines (for troubleshooting).
And if you're in the networking-group, packet-sniffing is one of
the ways to do your job. So you need to give them access to the
bpf-devices, but you don't want to give people complete access to
the system.

Owned by the root-user, nobody else can open them. It's a good
thing. So to read from it, you need root-access to the system.
Or the packet-sniffer needs to be setuid root. Bzzzt: wrong.
You need to give them read-access to the device.

A step in the right direction

At this moment, the group on /dev/bpf* is wheel, the
same group as users which can su to root. So if you make the device
readable for everybody in the group wheel and put everybody
who needs access to it in wheel, they open the bpf-device
and read from the network. Only this solution would also allow them
to peek over your shoulder, get the root-password and become root
themselves.

Solution

Make a new group called bpfusers in /etc/groups, make
/dev/bpf* readable for everybody in that group and add
everybody who needs to be able to do packet-sniffing into that
group:

With this solution you give the people who need access to sniffer-tools
access to the bpf-device without having to give them root-access,
without having to make setuid-root packet-sniffers and without having
to worry that people who are not allowed to use packet-sniffer are
able of it.